AWS - Identity and Access Management (IAM)

Posted on Feb 02, 2019   ∣  4 min read  ∣  AWS

Identity and Access Management (IAM)

The key features of IAM:

● Shared Access to your Account
● Granular Permissions
● Secure Access to AWS Resources
● Identity Federation
● Identity Information for Assurance
● Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
● Password Policy
● Multi Factor Authentication (MFA)

Shared access to your AWS account

● Grant permission to users to access and use resources in your AWS account without sharing your password.

Granular Permissions

● Granular permissions allow different permissions to various users to manage their access to AWS, such as:
• User access to specific services
• Specific permissions for actions
• Specific access to resources

Secure Access

● Securely allocate credentials that applications on EC2 instances require to access other AWS resources.

Identity Federation

● Allows users with external accounts to get temporary access to AWS resources

Identity Information

● Log, monitor, and track what users are doing with your AWS resources.

PCI DSS Compliance

● Payment Card Industry (PCI) and Data Security Standard (DSS) compliant

Multi-Factor Authentication

● Two-Factor Authorization for users and resources to ensure absolute security using MFA devices

Password Policy

● IAM allows you to define password strength and rotation policies.

IAM Policies

● A document that defines one or more permissions
● Attached to users, groups, and roles
● Written in JavaScript Object Notation (JSON)
● Selected from a pre-defined AWS list of policies, or you can create your own policy

## AWS Policies ● AWS has many predefined policies which allow you to define granular access to AWS resources.
● There are around 200 predefined policies available for you to choose from.

AdministratorAccess Policy

● AdministratorAccess policy provides full access to AWS services and resources.

AmazonEC2FullAccess Policy

● AmazonEC2FullAccess policy provides AWS Directory Service user or groups full access to the Amazon EC2 services and resources

AmazonS3ReadOnlyAccess Policy

● AmazonS3ReadOnlyAccess policy provides read-only access to all buckets using the AWS Management Console


● AWS policies are written using JavaScript Object Notation (JSON).

  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:listbucket",
    "Resource": "arn:aws:s3:::example_s3_bucket"

Policy-wide information:
Version–Date this policy was created

One or more individual statements:
Effect–Allow permission
Action– 3 list bucket
Resource–Name of the S3 bucket

## IAM Users Users are defined as the people or systems that use your AWS resources.

## Security Credentials AWS provides numerous ways to provide secure user access to your AWS resources:

Key pairs:
• They consist of a public and private key
• A private key is used to create a digital signature
• AWS uses the corresponding public key to validate the signature

Email address and password
• They are created when you sign up to use AWS
• They are used to sign in to AWS web pages

IAM user name and password
• They allow multiple individuals or applications access to your AWS account
• Individuals use their user names and passwords to sign in

Multi-Factor Authentication (MFA)
• With AWS MFA enabled, users are prompted for a user name and password and for an authentication code from an MFA device

Access keys
• They consist of an access key and a secret access key
• They use access keys to sign programmatic requests

## IAM Groups ● AWS defines a group as a collection of users that inherit the same set of permissions.

## IAM Roles

IAM Roles are:
• Very similar to users
• Not password protected and do not require access keys
• AWS identities with permission policies that determine the access available to the identities
• Assumed by anyone who requires them

Create Individual IAM Users

• The benefits of creating individual IAM users:
• Control permissions at an individual level
• No shared accounts
• Unique credentials for everyone
• Easier to rotate credentials
• Easier to identify security breaches

Grant Least Privilege

When creating IAM policies, granting ”least privilege,” means that:
• You only grant required permissions
• It’s more secure to start with minimum permissions
• It’s easier to grant permissions than revoke them
• You protect your assets

## Manage Permissions with Groups Use permissions with groups to minimize the workload
Easy to assign new permissions
• It is easier to assign a new permission to a group than to assign it to many individual users.
Simple to reassign permissions
• It is simpler to reassign permissions if a user has a change in responsibilities.

Restrict Access with Further Conditions

• Use additional conditions such as MFA and Security Groups to ensure only the intended users get access.

## Monitor Activity in your AWS Account AWS has several features to log user actions.
• Logs
• AWS Cloudtrail

Create a Strong Password Policy

• Ensure that all your users have strong passwords and they rotate their passwords regularly.

Use Roles for Applications that run on EC2

• IAM Roles remove the need for your developers to store or pass credentials to AWS EC2.

## Reduce or Remove Unnecessary Credentials • To reduce the potential for misuse, run a credential report to identify users that are no longer in use and can be removed.

AWS Security Token Service (STS)

• It is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management users that you authenticate.

STS: Things To Remember

• Develop an Identity Broker to communicate with LDAP and AWS STS
• Identity Broker always authenticates with LDAP first and then AWS STS
• Application gets temporary access to AWS resources